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Protocols Encryption Algorithms 
Internet Security Association and Key Management Type Key Length (Bits) Strength 
Protocol (ISAKMP) DES Symmetric 56 Weak 
A framework for the negotiation and management of : . 
security associations between peers (traverses UDP/500) 3DES Symmetric 168 Medium 
Internet Key Exchange (IKE) AES Symmetric 128/192/256 Strong 
Responsible for key agreement using asymmetric RSA Asymmetric 1024+ Strong 
cryptography 
Encapsulating Security Payload (ESP) Hashing Algorithms 
Provides data encryption, data integrity, and peer Length (Bits) Strength 
authentication; IP protocol 50 MD5 128 Medium 
Authentication Header (AH) 

HA-1 1 t 
Provides data integrity and peer authentication, but not data > ou Strong 
encryption; IP protocol 51 IKE Phases 
IPsec Modes Phase 1 
A bidirectional ISAKMP SA is established 
Original between peers to provide a secure management 
Packet channel (IKE in main or aggressive mode) 


Transport Phase 1.5 (optional) 
Mode | ie | Esran | TORUDE E Xauth can optionally be implemented to enforce 


user authentication 


Tunnel 


Two unidirectional IPsec SAs are established for 
Transport Mode data transfer using separate keys (IKE quick 
The ESP or AH header is inserted behind the IP header; the mode) 
IP header can be authenticated but not encrypted 


Tunnel Mode issuuneiesy 
A new IP header is created in place of the original; this Data Integrity f 
allows for encryption of the entire original packet Secure hashing (HMAC) is used to ensure data 
has not been altered in transit 
Configuration Data Confidentiality 
~ AKMD Policy) Encryption is used to ensure data cannot be 
ISAKMP Polic 
| Pept cee oe 10 Y intercepted by a third party 
hash sha Data Origin Authentication 
authentication pre-share Authentication of the SA peer 
group 2 Anti- l 
| lifetime 3600 nti-replay 


~ Sequence numbers are used to detect and 
ISAKMP Pre-Shared Key | discard duplicate packets 


crypto isakmp key 1 MySecretKey address 10.0.0.2 Hash Message Authentication Code (HMAC) 
= = — —— A hash of the data and secret key used to 


IPsec Transform Set provide message authenticity 


crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac =a 
“node nael ” j p Diffie-Hellman Exchange 


— — — ~ A shared secret key is established over an 
IPsec Profile | insecure path using public and private keys 


| crypto ipsec profile MyProfile z 
| set transform-set MyTS Troubleshooting 


r : —~ show crypto isakmp sa 
interface Tunneld Virtual Tunnel Interface | 


ip address 172.16.0.1 255.255.255.252 show crypto isakmp policy 
tunnel source 10.0.0.1 
tunnel destination 10.0.0.2 


tunnel mode ipsec ipv4 show crypto ipsec transform-set 
tunnel protection ipsec profile MyProfile 


show crypto ipsec sa 


debug crypto {isakmp | ipsec} 


